--- title: "EU ePrivacy consent-log evidence workflow for cookies and trackers" canonical_url: "https://www.sorena.io/artifacts/eu/eprivacy-directive/consent-log-evidence-workflow" source_url: "https://www.sorena.io/artifacts/eu/eprivacy-directive/consent-log-evidence-workflow" author: "Sorena AI" description: "Build an ePrivacy consent-log workflow that records cookie and tracker decisions, banner versions, consent signals, withdrawals, vendor evidence, and audit-ready outputs." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "EU ePrivacy Directive" - "Article 5(3)" - "cookie consent logs" - "consent evidence" - "cookie banner" - "tracker inventory" - "withdrawal of consent" - "cookie banner evidence" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # EU ePrivacy consent-log evidence workflow for cookies and trackers Build an ePrivacy consent-log workflow that records cookie and tracker decisions, banner versions, consent signals, withdrawals, vendor evidence, and audit-ready outputs. *Artifact Guide* *EU* ## EU ePrivacy Directive Consent-log evidence workflow Record why each cookie, SDK, pixel, local-storage item, or similar tracker is treated as consent-based, exempt, disabled, or escalated. Use the workflow to preserve banner/version evidence, user signals, withdrawal paths, cookie inventory data, controller and vendor evidence, and source-linked limits for Article 5(3) work. A consent log is useful only if it can explain the Article 5(3) decision behind the signal. For each cookie or similar technology, keep the technical trigger, consent or exemption basis, banner text and version, user action, withdrawal path, controller/vendor evidence, and the audit output that proves the live implementation matched the recorded decision. ## 1. Start with the storage or access decision Create one record for each cookie, pixel, SDK call, local-storage key, device identifier, or similar technology that stores information on, or accesses information from, a user's terminal equipment. The record should not begin with the vendor's marketing category; it should begin with the Article 5(3) operation and the purpose it serves. Classify the item as consent required, exempt under a transmission or strictly necessary analysis, disabled until review, or escalated because the implementation facts are incomplete. If the item has multiple purposes, record each purpose separately because an exemption should not be carried across to a non-exempt tracking purpose. - Technical operation: storage, read access, identifier refresh, pixel request, SDK event, local processing, or other terminal-equipment interaction. - Purpose: authentication, load balancing, security, shopping basket, media playback, user-requested preference, analytics, advertising, social plug-in, personalization, debugging, or another named purpose. - Decision: consent required, exempt for transmission, exempt as strictly necessary for a user-requested service, blocked by default, or legal/product escalation. - Evidence fields: cookie or tracker name, domain, first-party or third-party status, duration, trigger page, consent category, vendor, controller, processor or joint-controller note, and last scan date. Sources for this answer: - [EDPB Guidelines 2/2023 on Article 5(3) ePrivacy Directive](https://www.edpb.europa.eu/system/files/2023-11/edpb_guidelines_202302_technical_scope_art_53_eprivacydirective_en.pdf?ref=sorena.io) - Grounds the need to log storage and access operations beyond classic cookies, including terminal-equipment information and similar tracking technologies. - [WP29 Opinion 04/2012 on Cookie Consent Exemption](https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf?ref=sorena.io) - Supports separating consent-required trackers from cookies that may qualify for the transmission or strictly-necessary exemptions. ## 2. Preserve banner and version evidence For every consent-required purpose, store the exact banner configuration shown when the signal was collected. The log should identify the banner version, language, jurisdiction or audience variant, first-layer text, second-layer settings text, button labels, default toggle state, and whether reject and manage choices were available at the same point in the journey. The evidence should also show whether the banner avoided known weak practices: pre-ticked choices, consent inferred from scrolling or continuing to browse, misleading colour or contrast, hidden refusal routes, and confusing separation between rejecting Article 5(3) storage or access and objecting to later GDPR processing. - Banner/version record: CMP configuration ID, release commit or ticket, publication time, affected domains, locale, screenshot or rendered HTML capture, and privacy or cookie notice URL. - Choice architecture record: accept, reject, manage, save, and close behaviours; default state for each purpose; whether refusal is as prominent and understandable as acceptance. - Information record: controller identity, purpose names, tracker categories, vendor list, storage duration, third-party access, and right-to-withdraw text available before the user acts. - Regression record: automated scan or QA evidence that non-exempt cookies and similar trackers do not fire before the relevant consent signal. Sources for this answer: - [EDPB Guidelines 05/2020 on consent](https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf?ref=sorena.io) - Supports logging the consent conditions: free, specific, informed, unambiguous, demonstrable, and withdrawable. - [EDPB Cookie Banner Taskforce report](https://www.edpb.europa.eu/system/files/2023-01/edpb_20230118_report_cookie_banner_taskforce_en.pdf?ref=sorena.io) - Supports recording banner design evidence, including refusal paths, misleading contrast, legitimate-interest confusion, and withdrawal access. ## 3. Capture signals without over-collecting A consent log should be able to demonstrate that a user gave a clear affirmative signal for the named purpose before the non-exempt storage or access occurred. At the same time, the log should avoid collecting more personal data than needed to link the signal to the processing operation. Store enough to prove the consent state and reconstruct the decision: pseudonymous user or device key where needed, timestamp, region or locale variant, banner version, purpose toggles, vendor list version, policy version, user action, and source of the event. Keep rejection and no-action states too, because they explain why trackers remained blocked. - Accepted signal: purpose, vendor scope if used, clear affirmative action, timestamp, banner version, and pre-consent blocking proof. - Rejected signal: rejected purposes, banner version, timestamp, and evidence that consent-required trackers stayed off. - No valid signal: no action, closed banner, scroll-only interaction, pre-ticked state, or malformed event; resulting action should be block or escalation, not assumed consent. - Change signal: new purpose, new vendor, changed duration, changed controller role, new device-access method, or banner copy change that requires renewed or refreshed evidence. Sources for this answer: - [EDPB Guidelines 05/2020 on consent](https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf?ref=sorena.io) - Supports recording clear affirmative action, proof of consent, and limits on unnecessary consent-record data. - [EDPB Cookie Banner Taskforce report](https://www.edpb.europa.eu/system/files/2023-01/edpb_20230118_report_cookie_banner_taskforce_en.pdf?ref=sorena.io) - Supports treating invalid or unclear banner interactions as insufficient for consent-required cookies and similar technologies. ## 4. Log withdrawal and downstream suppression The withdrawal record is part of the consent evidence, not a separate afterthought. The workflow should show where the user can reopen privacy settings, how quickly the consent state changes, which cookies or identifiers are deleted or allowed to expire, and how tags, SDKs, server-side events, and vendor calls are suppressed after withdrawal. The log should distinguish withdrawal of consent from a new refusal, browser deletion, opt-out for exempt analytics, and objection to later processing. Where the same user has multiple devices or browsers, record the scope of the signal honestly instead of implying a universal withdrawal that the system cannot enforce. - Withdrawal access: persistent footer link, account setting, preference icon, or other visible route back to privacy choices. - Withdrawal event: timestamp, prior state, new state, affected purposes and vendors, banner or settings version, and confirmation shown to the user. - Technical effect: consent cookie update, tag-manager state, SDK disablement, server-side suppression, vendor API call, deletion job, or documented limitation. - Audit check: repeat scan after withdrawal to confirm consent-required storage or access stops unless a separate exemption record applies. Sources for this answer: - [EDPB Guidelines 05/2020 on consent](https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf?ref=sorena.io) - Supports making withdrawal available and as easy in practice as giving consent. - [EDPB Cookie Banner Taskforce report](https://www.edpb.europa.eu/system/files/2023-01/edpb_20230118_report_cookie_banner_taskforce_en.pdf?ref=sorena.io) - Supports keeping evidence that withdrawal routes are easily accessible and assessed case by case. ## 5. Tie cookie inventory, vendors, and controllers to the log A consent log is weak if it records user choices but cannot connect them to the live tracker inventory. Maintain a reconciliation job that compares consent categories and vendor lists with browser scans, tag-manager exports, SDK manifests, server-side event routes, and contract or data-processing records. For each third-party or vendor-operated technology, preserve the evidence that explains the role split: controller, joint controller, processor, or unresolved. The ePrivacy decision concerns storage or access to terminal equipment, while any personal-data processing that follows must also have a GDPR analysis; the workflow should keep those records linked but not merge them into a single legal basis. - Inventory output: tracker name, domain, vendor, category, purpose, duration, trigger, first-party or third-party status, and whether it appears before or after consent. - Controller/vendor output: controller identity shown to users, vendor purpose, contract or DPA reference, joint-controller note where relevant, and owner responsible for changes. - Reconciliation output: unmatched cookies, unexpected vendors, changed durations, unclassified local-storage keys, tags firing before consent, and vendor list drift. - GDPR/ePrivacy link: Article 5(3) consent or exemption record for storage or access, plus a separate record for any subsequent personal-data processing basis and transparency notice. Sources for this answer: - [EDPB Cookie Banner Taskforce report](https://www.edpb.europa.eu/system/files/2023-01/edpb_20230118_report_cookie_banner_taskforce_en.pdf?ref=sorena.io) - Supports inventory reconciliation by noting that scan tools list placed cookies but cannot by themselves prove the nature or purpose of each cookie. - [EDPB Opinion 5/2019 on ePrivacy Directive and GDPR interplay](https://www.edpb.europa.eu/sites/default/files/files/file1/201905_edpb_opinion_eprivacydir_gdpr_interplay_en.pdf?ref=sorena.io) - Supports keeping the Article 5(3) storage/access decision linked to, but distinct from, GDPR analysis for later personal-data processing. - [European Commission ePrivacy factsheet](https://ec.europa.eu/digital-single-market/en/news/eurobarometer-eprivacy?ref=sorena.io) - Supports the device-control framing: users should be asked for consent before tracking cookies are stored to monitor online behaviour. ## 6. Close with audit outputs and source-linked limits Close the workflow only when the team can export a compact evidence pack for a product release, vendor change, regulator question, customer inquiry, or internal audit. The pack should show the decision, the live implementation, the source basis, and the known limits. Do not add country-specific penalties, regulator-specific banner rules, or analytics exemptions unless the cited source in the evidence pack supports them. For EU-wide ePrivacy content, the safer output is a decision workflow that records when local counsel or a market owner must review national implementation details. - Audit pack: decision matrix, current cookie inventory, banner screenshots or HTML captures, CMP and vendor-list versions, consent and withdrawal event schema, and scan results before and after consent. - Release gate: no consent-required tracker fires before consent; exempt cookies have a documented Article 5(3) reason; withdrawal is reachable; vendor changes trigger review. - Exception register: doubtful exemptions, third-party analytics, advertising, social plug-ins, persistent identifiers, multi-purpose cookies, server-side tagging gaps, and unresolved controller roles. - source-linked limit: record that Article 5(3) applies to storage or access to terminal equipment, that consent must satisfy GDPR consent conditions when required, and that later personal-data processing needs its own GDPR basis. Sources for this answer: - [Directive 2002/58/EC (ePrivacy Directive)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32002L0058&ref=sorena.io) - Primary EU text for Article 5(3) terminal-equipment consent and exemption framing. - [WP29 Opinion 04/2012 on Cookie Consent Exemption](https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf?ref=sorena.io) - Supports caution on doubtful exemptions, third-party advertising cookies, analytics, multi-purpose cookies, and purpose-based assessment. - [EDPB Guidelines 2/2023 on Article 5(3) ePrivacy Directive](https://www.edpb.europa.eu/system/files/2023-11/edpb_guidelines_202302_technical_scope_art_53_eprivacydirective_en.pdf?ref=sorena.io) - Supports including non-cookie techniques such as pixels, URL tracking, local processing, IoT reporting, and unique identifiers in the evidence workflow where they involve terminal-equipment storage or access. *Recommended next step* *Placement: before sources* ## Use this ePrivacy workflow to test consent evidence before launch Sorena can help map your cookie inventory, banner versions, consent and withdrawal events, and vendor evidence into an audit-ready Article 5(3) workflow. - [Open Research Copilot for EU ePrivacy Directive](/solutions/research-copilot.md): Ask source-linked questions about Article 5(3), consent evidence, exemptions, banner records, and withdrawal proof using the cited sources on this page. - [Talk through implementation](/contact.md): Review your consent-log fields, tracker inventory, vendor evidence, and audit outputs with Sorena. ## Primary sources - [Directive 2002/58/EC (ePrivacy Directive)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32002L0058&ref=sorena.io) - Primary EU source for Article 5(3) consent and exemption framing for storing or accessing information on terminal equipment. - Quote: "terminal equipment" - [EDPB Guidelines 2/2023 on Article 5(3) ePrivacy Directive](https://www.edpb.europa.eu/system/files/2023-11/edpb_guidelines_202302_technical_scope_art_53_eprivacydirective_en.pdf?ref=sorena.io) - Explains the technical scope of Article 5(3), including cookies and similar technologies that store or access terminal-equipment information. - Quote: "technical scope of Art. 5(3)" - [EDPB Guidelines 05/2020 on consent](https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf?ref=sorena.io) - Supports consent-log fields for valid consent, proof of consent, clear affirmative action, and withdrawal. - Quote: "freely given, specific, informed and unambiguous" - [EDPB Cookie Banner Taskforce report](https://www.edpb.europa.eu/system/files/2023-01/edpb_20230118_report_cookie_banner_taskforce_en.pdf?ref=sorena.io) - Supports banner evidence checks for refusal routes, misleading design, legitimate-interest confusion, inventory scans, and withdrawal access. - Quote: "Cookie Banner Taskforce" - [WP29 Opinion 04/2012 on Cookie Consent Exemption](https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf?ref=sorena.io) - Supports recording when a cookie may be exempt because it is for transmission or strictly necessary for a service explicitly requested by the user. - Quote: "Cookie Consent Exemption" - [EDPB Opinion 5/2019 on ePrivacy Directive and GDPR interplay](https://www.edpb.europa.eu/sites/default/files/files/file1/201905_edpb_opinion_eprivacydir_gdpr_interplay_en.pdf?ref=sorena.io) - Supports keeping Article 5(3) storage/access evidence distinct from linked GDPR processing evidence. - Quote: "interplay between the ePrivacy Directive and the GDPR" - [European Commission ePrivacy factsheet](https://ec.europa.eu/digital-single-market/en/news/eurobarometer-eprivacy?ref=sorena.io) - Supports the workflow's device-control framing for cookies and other device access in the ePrivacy context. - Quote: "Users must be in control" ## Related Topic Guides - [Are cookie walls allowed under the EU ePrivacy Directive?](/artifacts/eu/eprivacy-directive/faq/cookie-walls.md): FAQ answer on cookie walls under the EU ePrivacy Directive, covering freely given consent, refusal and withdrawal paths, banner evidence, and national-law caveats. - [Do Analytics Cookies Require Consent under the EU ePrivacy Directive?](/artifacts/eu/eprivacy-directive/faq/analytics-cookies.md): FAQ answer on analytics cookies under Article 5(3) ePrivacy, limited analytics exemptions, configuration evidence, consent logs, and national-law caveats. - [ePrivacy cookie consent vs DSA ads obligations: source-limited comparison](/artifacts/eu/eprivacy-directive/eprivacy-vs-dsa-ads.md): Compare ePrivacy cookie and tracking-consent duties with DSA ads workstreams without merging consent, transparency, and evidence obligations. - [ePrivacy Directive vs GDPR: cookies, communications, consent, and evidence](/artifacts/eu/eprivacy-directive/eprivacy-directive-vs-gdpr.md): Compare the EU ePrivacy Directive and GDPR across subject matter, lex specialis overlap, terminal equipment, communications confidentiality, marketing, consent, enforcement, and evidence. - [EU cookie banner requirements under the ePrivacy Directive](/artifacts/eu/eprivacy-directive/eu-cookie-banner-requirements.md): EU ePrivacy cookie banner requirements for non-exempt cookies and trackers: prior consent, reject choices, no pre-ticked boxes, withdrawal, analytics limits, cookie walls, and evidence logs. - [EU ePrivacy analytics cookies: consent, exemption, and evidence guide](/artifacts/eu/eprivacy-directive/analytics-cookies.md): source-linked guide to analytics cookies under EU ePrivacy: Article 5(3) scope, when consent is usually needed, limited analytics exemptions, consent records, and evidence gaps. - [EU ePrivacy Applicability Test for Cookies, SDKs, Pixels, Communications, and Marketing](/artifacts/eu/eprivacy-directive/applicability-test.md): A concrete EU ePrivacy Directive applicability test for electronic communications services, terminal-equipment storage or access, cookies, SDKs, pixels, local storage, direct marketing, GDPR overlap, and evidence. - [EU ePrivacy Article 5(3) terminal equipment test](/artifacts/eu/eprivacy-directive/article-5-3-terminal-equipment-test.md): A source-linked Article 5(3) test for cookies, pixels, local identifiers, device APIs, strictly necessary exceptions, and consent evidence. - [EU ePrivacy Confidentiality of Communications: Article 5 controls](/artifacts/eu/eprivacy-directive/confidentiality-of-communications.md): Article 5 confidentiality guide for EU ePrivacy communications, traffic data, metadata, terminal-equipment access, consent limits, and GDPR interplay. - [EU ePrivacy cookie banner UX test cases](/artifacts/eu/eprivacy-directive/banner-ux-test-cases.md): source-linked cookie banner UX tests for Article 5(3) ePrivacy consent: reject all, pre-ticked boxes, withdrawal, cookie walls, analytics toggles, and consent evidence. - [EU ePrivacy Cookie Scope Classifier Workflow](/artifacts/eu/eprivacy-directive/cookie-scope-classifier-workflow.md): Classify cookies, pixels, SDKs, local storage, device identifiers, and analytics tracers under Article 5(3) ePrivacy rules, with consent and exemption evidence outputs. - [EU ePrivacy direct-marketing consent checklist](/artifacts/eu/eprivacy-directive/direct-marketing-consent-checklist.md): Checklist for ePrivacy Directive direct-marketing messages: consent, soft opt-in, sender identity, opt-out handling, proof records, suppression, and national-law caveats. - [EU ePrivacy Directive compliance calendar for cookies, consent, and marketing](/artifacts/eu/eprivacy-directive/deadlines-and-compliance-calendar.md): source-linked ePrivacy calendar covering Directive milestones, Article 5(3) cookie reviews, consent evidence, direct marketing checks, and national-law follow-up. - [EU ePrivacy Directive Compliance Checklist](/artifacts/eu/eprivacy-directive/checklist.md): A concrete ePrivacy checklist for terminal equipment access, cookie consent, exemptions, banner UX, direct marketing, confidentiality, GDPR interplay, and evidence records. - [EU ePrivacy Directive Compliance Guide for Cookies, Marketing, and Communications](/artifacts/eu/eprivacy-directive/compliance.md): Practical ePrivacy Directive compliance checks for terminal equipment, communications confidentiality, cookie consent, exemptions, direct marketing, evidence, and national-law caveats. - [EU ePrivacy Directive Cookies and Consent: Article 5(3), exemptions, and banner evidence](/artifacts/eu/eprivacy-directive/cookies-and-consent.md): Cookie consent guide for the EU ePrivacy Directive: Article 5(3) scope, strictly necessary and transmission exemptions, consent UX, withdrawal, logs, analytics caveats, and GDPR interplay. - [EU ePrivacy Directive direct marketing rules for electronic mail](/artifacts/eu/eprivacy-directive/direct-marketing-rules.md): source-linked guide to Article 13 ePrivacy Directive rules for electronic mail marketing, prior consent, customer soft opt-in, opt-out handling, sender identity, and Member State caveats. - [EU ePrivacy Directive Enforcement and Fines](/artifacts/eu/eprivacy-directive/enforcement-and-fines.md): Source-grounded guide to ePrivacy Directive enforcement, national penalties, competent authorities, GDPR interplay, cookie-banner risk, and evidence limits. - [EU ePrivacy Directive FAQ: cookies, consent, marketing, GDPR interplay](/artifacts/eu/eprivacy-directive/faq.md): Answers to recurring EU ePrivacy Directive questions on Article 5(3), terminal-equipment access, cookie consent, exemptions, analytics, direct marketing, GDPR interplay, national enforcement, and evidence. - [EU ePrivacy Directive Member State Cookie Rules](/artifacts/eu/eprivacy-directive/member-state-cookie-rules.md): How to evidence EU ePrivacy cookie compliance when Article 5(3) is implemented through Member State law and national authority practice. - [EU ePrivacy Directive Metadata and Location Data Guide](/artifacts/eu/eprivacy-directive/metadata-and-location-data.md): source-linked guide to EU ePrivacy Directive rules for traffic data, location data, anonymisation, consent, value-added services, Article 5(3) overlap, and national-law limits. - [EU ePrivacy Directive penalties and fines: national enforcement caveats](/artifacts/eu/eprivacy-directive/penalties-and-fines.md): source-linked guide to ePrivacy Directive penalty exposure, national transposition caveats, cookie enforcement evidence, consent defects, and GDPR overlap limits. - [EU ePrivacy Directive Requirements: cookies, communications and marketing](/artifacts/eu/eprivacy-directive/requirements.md): source-linked map of EU ePrivacy Directive requirements for communications confidentiality, terminal-equipment access, consent, traffic and location data, and direct marketing. - [EU ePrivacy Directive vs GDPR: cookies, communications, marketing, and evidence](/artifacts/eu/eprivacy-directive/eprivacy-vs-gdpr.md): Compare the EU ePrivacy Directive and GDPR by trigger, consent standard, lex specialis overlap, enforcement caveats, and evidence outputs for cookies, device access, communications, and marketing. - [EU ePrivacy Directive vs UK PECR: source-limited cookie and marketing comparison](/artifacts/eu/eprivacy-directive/eprivacy-vs-uk-pecr.md): Compare EU ePrivacy Directive rules with a source-limited UK PECR workstream for cookies, terminal equipment, direct marketing, consent, soft opt-in, and evidence. - [EU ePrivacy soft opt-in FAQ for email marketing](/artifacts/eu/eprivacy-directive/faq/soft-opt-in.md): When Article 13(2) soft opt-in can support EU customer email marketing, including existing-customer, similar-offer, opt-out, sender-identity, suppression-list, and national-law checks. - [EU ePrivacy soft opt-in marketing checklist](/artifacts/eu/eprivacy-directive/soft-opt-in-marketing.md): source-linked checklist for using the EU ePrivacy Directive soft opt-in exception for customer email marketing, opt-outs, sender identity, suppression records, and national-law caveats. - [EU ePrivacy soft opt-in marketing review workflow](/artifacts/eu/eprivacy-directive/soft-opt-in-marketing-review-workflow.md): Review whether an EU electronic-mail marketing send can rely on the ePrivacy soft opt-in, with checks for customer relationship evidence, similar products, opt-out, sender identity, suppression records, and national-law caveats. - [EU ePrivacy Strictly Necessary Cookie Exemptions](/artifacts/eu/eprivacy-directive/strictly-necessary-exemptions.md): source-linked guide to the Article 5(3) ePrivacy exemptions for transmission cookies, requested-service cookies, analytics caveats, evidence, and national-law checks. - [Is a reject-all button required for EU ePrivacy cookie consent?](/artifacts/eu/eprivacy-directive/faq/reject-all-button.md): Standalone FAQ answer on EU ePrivacy reject-all and refuse options for cookie banners, including equal prominence, deceptive UX, consent evidence, withdrawal, and national-law caveats. - [Strictly Necessary Cookies under the EU ePrivacy Directive](/artifacts/eu/eprivacy-directive/faq/strictly-necessary-cookies.md): FAQ answer on when EU ePrivacy Article 5(3) allows cookies without consent, with grounded examples, analytics caveats, evidence records, and national-law cautions. - [What should CMP consent logs retain under the EU ePrivacy Directive?](/artifacts/eu/eprivacy-directive/faq/cmp-consent-logs.md): FAQ answer on CMP consent logs for EU ePrivacy cookie consent: retained fields, consent validity signals, banner versioning, refusal and withdrawal events, proof limits, and national-law caveats. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/eprivacy-directive/consent-log-evidence-workflow